Beats – ELK


Beats are lightweight data shipping agents installed on machines to send data to logstash or elasticsearch. Beats installed on multiple machines help to centralize data for analysis. It is also possible to ship data to hosted elasticsearch. Filebeat, Metricbeat, Packetbeat, Winlogbeat, Auditbeat and Hearbeat are the members of beat family.


Winlogbeat is used to ship data from Windows machines to Elasticsearch or Logstash


Download the Winlogbeat zip file from

Extract the contents into C:\Program Files.

Rename the winlogbeat-<version> directory to Winlogbeat.

Open a PowerShell prompt as an Administrator

PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'

PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1

Security warning

Run only scripts that you trust. While scripts from the internet can be useful,

this script can potentially harm your computer. If you trust this script, use

the Unblock-File cmdlet to allow the script to run without this warning message.

Do you want to run C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1?

[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R

Status   Name               DisplayName
------   ----               -----------
Stopped  winlogbeat         winlogbeat

Before starting Winlogbeat, the configuration file for winlogbeat is winlogbeat.yml that is available in the extracted folder, for example C:\Program Files\Winlogbeat\winlogbeat.yml. There’s also a full example configuration file called winlogbeat.reference.yml that shows all non-deprecated options.

Configure Winlogbeat

To configure Winlogbeat, you edit the winlogbeat.yml configuration file.

Here is a sample of the winlogbeat.yml file:

  - name: Application
  - name: Security
  - name: System

    - localhost:9200

logging.to_files: true
  path: C:/ProgramData/winlogbeat/Logs
logging.level: info

To configure Winlogbeat:

In the event_logs section, specify the event logs that you want to monitor. By default, Winlogbeat is set to monitor application, security, and system logs:

  - name: Application
  - name: Security
  - name: System

If you are sending output directly to Elasticsearch (and not using Logstash), set the IP address and port where Winlogbeat can find the Elasticsearch installation:

   - localhost:9200

If you are sending output to Logstash

     hosts: [""]

If you plan to use the sample Kibana dashboards provided with Winlogbeat, configure the Kibana endpoint:


  host: "localhost:5601"

Where host is the hostname and port of the machine where Kibana is running, for example, localhost:5601.

If you specify a path after the port number, you need to include the scheme and port: http://localhost:5601/path.

If you’ve secured Elasticsearch and Kibana, you need to specify credentials.

  hosts: ["elasticsearchhost:9200"]
  username: "user"
  password: "password"

  host: "kibanahost:5601"
  username: "user"
  password: "password"

After you save your configuration file, test it with the following command.

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e

Winlogbeat can be used to load an index template for elasticsearch. The is a default template file for Winlogbeat is installed by the Winlogbeat packages. If you accept the default configuration in the winlogbeat.yml config file, Winlogbeat loads the template automatically after successfully connecting to Elasticsearch.

Once the configuratio is done you can start the “winlogbeat” service from Window’s services console.

By default logs are stored in the C:\ProgramData\winlogbeat\Logs folder. Open winlogbeat file to see the log details

2018-04-04T08:02:44+03:00 INFO Home path: [C:\ProgramData\winlogbeat-6.1.1-windows-x86_64] Config path: [C:\ProgramData\winlogbeat-6.1.1-windows-x86_64] Data path: [C:\\ProgramData\\winlogbeat] Logs path: [C:\\ProgramData\\winlogbeat\logs]
2018-04-04T08:02:44+03:00 INFO Metrics logging every 30s
2018-04-04T08:02:44+03:00 INFO Beat UUID: db80f896-0169-45bb-ac63-84946a2c11a3
2018-04-04T08:02:44+03:00 INFO Setup Beat: winlogbeat; Version: 6.1.1
2018-04-04T08:02:44+03:00 INFO Beat name: MYHOSTNAME
2018-04-04T08:02:44+03:00 INFO State will be read from and persisted to C:\ProgramData\winlogbeat\.winlogbeat.yml
2018-04-04T08:02:44+03:00 INFO winlogbeat start running.
2018-04-04T08:02:46+03:00 INFO EventLog[Security] successfully published 45 events
2018-04-04T08:02:56+03:00 INFO EventLog[Security] successfully published 18 events
2018-04-04T08:02:57+03:00 INFO EventLog[Security] successfully published 5 events
2018-04-04T08:02:59+03:00 INFO EventLog[Security] successfully published 2 events
2018-04-04T08:03:01+03:00 INFO EventLog[Security] successfully published 4 events

Login to Kibana console to view the shipped logs